about summary refs log tree commit diff
path: root/spec/rails_helper.rb
AgeCommit message (Collapse)Author
2020-08-24Add WebAuthn as an alternative 2FA method (#14466)santiagorodriguez96
* feat: add possibility of adding WebAuthn security keys to use as 2FA This adds a basic UI for enabling WebAuthn 2FA. We did a little refactor to the Settings page for editing the 2FA methods – now it will list the methods that are available to the user (TOTP and WebAuthn) and from there they'll be able to add or remove any of them. Also, it's worth mentioning that for enabling WebAuthn it's required to have TOTP enabled, so the first time that you go to the 2FA Settings page, you'll be asked to set it up. This work was inspired by the one donde by Github in their platform, and despite it could be approached in different ways, we decided to go with this one given that we feel that this gives a great UX. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add request for WebAuthn as second factor at login if enabled This commits adds the feature for using WebAuthn as a second factor for login when enabled. If users have WebAuthn enabled, now a page requesting for the use of a WebAuthn credential for log in will appear, although a link redirecting to the old page for logging in using a two-factor code will also be present. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: add possibility of deleting WebAuthn Credentials Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: disable WebAuthn when an Admin disables 2FA for a user Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * feat: remove ability to disable TOTP leaving only WebAuthn as 2FA Following examples form other platforms like Github, we decided to make Webauthn 2FA secondary to 2FA with TOTP, so that we removed the possibility of removing TOTP authentication only, leaving users with just WEbAuthn as 2FA. Instead, users will have to click on 'Disable 2FA' in order to remove second factor auth. The reason for WebAuthn being secondary to TOPT is that in that way, users will still be able to log in using their code from their phone's application if they don't have their security keys with them – or maybe even lost them. * We had to change a little the flow for setting up TOTP, given that now it's possible to setting up again if you already had TOTP, in order to let users modify their authenticator app – given that now it's not possible for them to disable TOTP and set it up again with another authenticator app. So, basically, now instead of storing the new `otp_secret` in the user, we store it in the session until the process of set up is finished. This was because, as it was before, when users clicked on 'Edit' in the new two-factor methods lists page, but then went back without finishing the flow, their `otp_secret` had been changed therefore invalidating their previous authenticator app, making them unable to log in again using TOTP. Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com> * refactor: fix eslint errors The PR build was failing given that linting returning some errors. This commit attempts to fix them. * refactor: normalize i18n translations The build was failing given that i18n translations files were not normalized. This commits fixes that. * refactor: avoid having the webauthn gem locked to a specific version * refactor: use symbols for routes without '/' * refactor: avoid sending webauthn disabled email when 2FA is disabled When an admins disable 2FA for users, we were sending two mails to them, one notifying that 2FA was disabled and the other to notify that WebAuthn was disabled. As the second one is redundant since the first email includes it, we can remove it and send just one email to users. * refactor: avoid creating new env variable for webauthn_origin config * refactor: improve flash error messages for webauthn pages Co-authored-by: Facundo Padula <facundo.padula@cedarcode.com>
2020-03-21Bump sidekiq from 5.2.7 to 6.0.4 (#11727)dependabot-preview[bot]
* Bump sidekiq from 5.2.7 to 6.0.0 Bumps [sidekiq](https://github.com/mperham/sidekiq) from 5.2.7 to 6.0.0. - [Release notes](https://github.com/mperham/sidekiq/releases) - [Changelog](https://github.com/mperham/sidekiq/blob/master/Changes.md) - [Commits](https://github.com/mperham/sidekiq/compare/v5.2.7...v6.0.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> * Sidekiq::Logger.logger -> Sidekiq.logger * Drop support Ruby 2.4 * update Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Yamagishi Kazutoshi <ykzts@desire.sh>
2019-10-01Fix records not being indexed sometimes (#12024)Eugen Rochko
It's possible that after commit callbacks were not firing when exceptions occurred in the process. Also, the default Sidekiq strategy does not push indexing jobs immediately, which is not necessary and could be part of the issue too.
2019-01-15Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers ↵Moritz Heiber
(#9819)
2018-10-08rubocop issues - Cleaning up (#8912)ashleyhull-versent
* cleanup pass * undo mistakes * fixed. * revert
2018-09-08feat(cookies): Use the same-site attribute to lax (#8626)Sorin Davidoi
CSFR-prevention is already implemented but adding this doesn't hurt. A brief introduction to Same-Site cookies (and the difference between strict and lax) can be found at https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ TLDR: We use lax since we want the cookies to be sent when the user navigates safely from an external site.
2018-05-02Slightly reduce RAM usage (#7301)Eugen Rochko
* No need to re-require sidekiq plugins, they are required via Gemfile * Add derailed_benchmarks tool, no need to require TTY gems in Gemfile * Replace ruby-oembed with FetchOEmbedService Reduce startup by 45382 allocated objects * Remove preloaded JSON-LD in favour of caching HTTP responses Reduce boot RAM by about 6 MiB * Fix tests * Fix test suite by stubbing out JSON-LD contexts
2018-02-17Isolate each specs for cache store (#6450)Akihiko Odaki
The cache store is explicitly used by some specs, but they were not isolated and therefore not reliable. This fixes the issue by clearing the cache after each specs.
2018-01-07Fix force_ssl conditional (#6201)Yamagishi Kazutoshi
2018-01-05Fix enforce HTTPS in production. (#6180)Naoki Kosaka
2017-07-07Fix #4058 - Use a long-lived cookie to keep track of user-level sessions (#4091)Eugen Rochko
* Fix #4058 - Use a long-lived cookie to keep track of user-level sessions * Fix tests, smooth migrate from previous session-based identifier
2017-06-28Overwrite old statuses with reblogs in PrecomputeFeedService (#3984)Akihiko Odaki (@fn_aki@pawoo.net)
2017-06-25Add overview of active sessions (#3929)Eugen Rochko
* Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
2017-06-23Revocable sessions (#3616)Sorin Davidoi
* feat: Revocable sessions * fix: Tests using sign_in * feat: Configuration entry for the maximum number of session activations
2017-05-10Disable sidekiq logging in test mode (#2962)Matt Jankowski
2017-05-05Misc spec coverage improvements (#2821)Matt Jankowski
* Dont use raise_error by itself (avoids warning) * Add coverage for AccountFilter * Improve coverage and refactor for Subscription#lease_seconds * Improve coverage and refactor for NotificationMailer * Simplify assignment of min/max threshold on subscription
2017-04-24Followers-only post federation (#2111)Eugen
* Make private toots get PuSHed to subscription URLs that belong to domains where you have approved followers * Authorized followers controller, stub for bulk action * Soft block in the background * Add simple test for new controller * Rename Settings::FollowersController to Settings::FollowerDomainsController, paginate results, rename "private" post setting to "followers-only", fix pagination style, improve post privacy preferences style, improve warning style * Extract compose form warnings into own container, show warning when posting to followers-only with unlocked account
2017-04-15Silence Devise deprecation warning about TestHelpers (#1840)Matt Jankowski
Devise changed their approach - https://github.com/plataformatec/devise/commit/3f3ec236bb50a2ae8b0eede90d8f7ecd201d7dbb This change silences a deprecation warning about `TestHelpers`
2017-04-15Introduce capybara and first feature spec (#1801)Chad Pytel
This commit introduces Capybara and the first feature spec. I focused on coverage for log in for the first feature spec because that would have prevented 624a9a7136159d460228a0c2f5df18a9ead3b7f2 causing #1236.
2017-04-05add more tests to modelsSamy KACIMI
2016-11-10Discard misattributed remote statuses, improve timelines filterEugen Rochko
2016-10-15Exclude blocked users from follow suggestions, fix testsEugen Rochko
2016-10-09Adding domain blocksEugen Rochko
2016-09-05Add API to upload media attachmentsEugen Rochko
2016-08-17Upgrade to Rails 5.0.0.1Eugen Rochko
2016-03-26Moving Salmon notifications to background processing, fixing mini-profilerEugen Rochko
behaviour with Turbolinks enabled, optimizing Rabl for production
2016-03-20Writing out more tests, fixed some bugsEugen Rochko
2016-03-06Adding GNU Public license, adding home timeline, reblog/favourite countersEugen Rochko
2016-02-28Adding a test for ReblogService, fixing mentions for remote statusesEugen Rochko
2016-02-25Adding a Mention model, test stubsEugen Rochko